
Malware Brief: Crafty phishing, BYOVD and Android RATs
The malware news keeps on coming. Today we’ll look briefly at an attack that leverages Meta platforms to deliver RAT malware to Android systems; an attack technique called bring-your-own-vulnerable driver that’s targeting Windows users; and an advanced, multistage phishing technique used by a well-known Russia-based threat group.
Malvertising on Meta targets Android systems
Type: RAT, Spyware
Malware: Brokewell
Spread: Malvertising
Vector: Meta environments
Target: Android systems
Active since: July 2024
Threat actors are reported to be using malvertising on Meta platforms to spread fake software. Ads promise a free TradingView Premium app, but instead the victim installs a version of the spyware and remote access Trojan (RAT) Brokewell.
As detailed in this BleepingComputer article, Brokewell uses a variety of means to provide a remote-access backdoor while recording activity and seeking out and stealing sensitive data, particularly focusing on financial and cryptocurrency data.
Bring-your-own-vulnerable-driver (BYOVD)
Type: RAT
Malware: ValleyRAT
Spread: Vulnerable Microsoft-signed WatchDog Antimalware drivers
Threat group: Silver Fox
Target: Microsoft Windows 7 through 11
As reported in SC Media, the cybercriminal group that calls itself Silver Fox has been using a BYOVD attack technique to infect Windows systems with the ValleyRAT remote access Trojan malware.
BYOVD involves deliberately loading a driver that has a known vulnerability, in this case a Microsoft-signed WatchDog Antimalware driver (or a Zemana driver for Windows 7 machines). These drivers were not listed in Microsoft’s Vulnerable Driver Blocklist.
Because drivers are installed with 0-level access to resources, attackers can then install the ValleyRAT remote access Trojan undetected, giving themselves access to and control over the infected system.
For a thorough technical analysis, check out this article in The Hacker News.
BlackBasta uses advanced phishing to drop malware
Type: Various
Malware: Zbot, DarkGate, custom malware
Spread: Innovative phishing techniques
Late last year, the threat group Black Basta was observed to be using a novel phishing technique to lure victims into installing malware on their systems.
First, the targets are email-bombed, creating the impression of a cyberattack of some type in progress. Then, attackers contact the target via Microsoft Teams, claiming to be members of the target company’s IT help desk.
Once the target accepts the chat, they are tricked into loading a variety of malware threats. Typically, a credential harvester first scrapes the user’s credentials, and then the malware can be used to install a loader such as Zbot, Zloader or DarkGate.

The Ransomware Insights Report 2025
Key findings about the experience and impact of ransomware on organizations worldwide
Subscribe to the Barracuda Blog.
Sign up to receive threat spotlights, industry commentary, and more.

Managed Vulnerability Security: Faster remediation, fewer risks, easier compliance
See how easy it can be to find the vulnerabilities cybercriminals want to exploit